Encryption has been a hot-button topic on the campaign trail this year. Republicans have talked about it. Democrats have debated it. The White House has weighed in on the issue. But to best understand the argument around encryption, you need to know what it actually is.
Practically as old as secrets themselves, encryption — or cryptography, as it’s sometimes called — is a way of scrambling a message to make it unreadable. The Nazis famously jumbled their communications with a device called the Enigma Machine in World War II, but the Allies were eventually able to figure out the code. Today’s best cryptography is advanced enough that it’s impossible for even the world’s greatest code breakers to crack.
Modern encryption takes a file and scrambles its content, sometimes also adding bits of meaningless information. It does this using an encryption key, essentially an algorithm that instructs a computer how to scramble (or unscramble) a file.
As an example, imagine you had a Word document with all your secret personal information in it. If the file was encrypted, and you opened it without the encryption key, you would see hundreds or thousands of lines of random characters instead of your data.
Now imagine that encrypted file contained your medical financial records, and was sitting in a company’s database. If somebody hacked into that data center, they wouldn’t be able to learn anything about your health or finances — so long as they can’t break the encryption.
This all may sound simple enough. But there’s heavy-duty math powering encryption. To save your eyes from glossing over, take it from EE Times: It would take 1 billion years to crack 128-bit encryption using a supercomputer to try every possible combination, a process known as “brute force.” Many of today’s computers use even stronger 256-bit encryption. (There is reason to believe encryption may not be as secure as we think: Edward Snowden’s leaks suggest groups like the National Security Agency can break many of the world’s top security standards.)
Putting that aside, encryption still protects a great deal of data from hackers of all stripes. One form of encryption secures data as it whizzes around the Web. Every time a web address on your browser begins with “https” instead of “http,” it’s sending and receiving encrypted information. The extra “s” stands for “secure.” It’s found on many websites, from banks and online stores to social networks like Facebook and Twitter. In technical terms, when you see that “s,” the website has invoked a “secure socket layer,” or SSL.
Trent Telford, CEO of security firm Covata, describes SSL as a secure tunnel from Point A to Point B. “When we log onto banking or anything secure and we see the SSL connection and the padlock, that’s the secure tunnel,” he says. “What’s happening is the data or the files going up and down the tunnel are in the clear.”
But in recent years, hackers are showing increasing interest in the data at the end of the tunnel. That’s where data breaches at major organizations such as Sony, Anthem, and the U.S. federal government took place. For Sony, it meant sensitive and embarrassing emails were essentially laying out in the open, able to be copied and read by hackers. In the Anthem hack, tens of millions of the insurance company’s customers had their Social Security numbers, addresses, and phone numbers stolen because the information wasn’t encrypted. Likewise, the federal Office of Personnel Management database included personal information of more than 4 million government employees. Had this data been well encrypted, the hackers would’ve had a harder time getting to the data. Instead, identity theft is now a daily concern for the people who had their information stolen.
That brings us back to today’s debate over encryption. The question: Should web companies provide “backdoors” so that law enforcement can access encrypted data? Those who say “yes” believe cops need that access to stop criminals and save lives. But the “no” camp holds that backdoors will inevitably open up access for hackers, too. How this debate is settled will have big implications for our online security and safety for years to come.